Benefits

Protects CUI by monitoring all communications and traffic for malicious activity

Supports incident response and risk-assessment exercises

Enables compliance with DFARS cybersecurity requirements

Managed Threat Detection and Response to meet NIST 800-171 Compliance

Today, federal departments and agencies are increasingly digitized and subcontracted. This has led to an explosion of government data held in the information systems of subcontractors who work with sensitive or confidential data related to agriculture, finance, military and other areas that fall under federal regulations.

To keep this information secure, Executive Order 13556 established the Controlled Unclassified Information (CUI) program to standardize the way federal contractors handle unclassified information that requires protection, such as personally identifiable information, or sensitive government assets.

This program has issued final guidelines for protecting this data, “Protecting Con­trolled Unclassified Information in Nonfederal Information Systems and Organizations”. known as the NIST 800-171 standard. The US Department of Defense has issued the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity require­ment. This rule requires defense contractors to meet the NIST 800-171 standard or risk losing their contracts.

SOC and NIST 800-171 and DFARS 7012 Compliance

Controlled Unclassified Information (CUI) can be stored in a variety of repositories, such as file servers, databases, access logs and other types of unstructured and structured data repositories. Safeguarding access to CUI and defending it from outside attack requires diligent administration and close cooperation between the IT teams and the many business units that need access to the data.

In addition, NIST 800-171 requires the institution of a Continuous Monitoring program for each Defense Contractor that monitors, filters, logs and alerts on any suspicious activity generated on the contractor’s network. Contractors need to enlist the assistance of MSPs to review all logged activity to meet Incident reporting requirements to Dibnet. A Security Operations Center will provide you active monitoring and alerting to stay ahead of threats and report them in real time.

Arctic Wolf Compliance Solution for NIST 800-171

3.1.20: Verify and control/limit connec­tions to and use of external information systems.

The AWN CyberSOC service receives firewall logs, which can be used to demonstrate requirement compliance.

Section 3.3 Audit and Accountability

3.3.5: Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious or unusual activity.
3.3.6: Provide audit reduction and report generation to support on-demand analy­sis and reporting.
3.3.8: Protect audit information and audit tools from unauthorized access, modifi­cation and deletion. 3.3.5: Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious or unusual activity.

AWN CyberSOC delivers this service via automated tools and adds a Concierge Security Engineer to reduce false posi­tives and provide additional context and actionable intelligence.
Arctic Wolf has many standard reports and can create custom reports on an ad-hoc or weekly schedule. We also support our customers in the event of an audit or external investigation including exporting of event/log data or real-time discovery via screen sharing with your assigned CSE.
Arctic Wolf has strict security policies
in place to prevent unauthorized access to SOC tools. Log data is encrypted in transit and at rest. AWN CyberSOCTM delivers this service via automated tools and adds a Con­cierge Security Engineer™ to reduce false positives and provide additional context and actionable intelligence.

Section 3.5 Identification and Authentication

3.5.3: Use multifactor authentication
(MFA) for local and network access to privileged accounts and for network access to non-privileged accounts.

Arctic Wolf can provide log data from MFA systems used, such as Okta or DUO, to comply with this requirement.

3.11.2: Periodically scan for vulnerabili­ties in information systems and applica­tions, as well as when new vulnerabilities affecting the system are identified.

This is a core function of the Arctic Wolf service for externally exposed systems.

Section 3.13 System and Communication Protection

3.13.1: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
3.13.5: Implement subnetworks for pub­licly accessible system components that are physically or logically separated from internal networks.
3.13.14: Control and monitor the use
of voice over Internet protocol (VoIP) technologies.

The Arctic Wolf sensor generates net flow data at egress points to the public internet, and can also work off span/mir­ror ports for key internal subnet/VLANs and provide monitoring and alerting based on the net flow data.
Arctic Wolf can provide firewall log data from servers or systems installed in the separated zones.
VoIP traffic can be monitored by an Arctic Wolf sensor using an internal tap or span/ mirror configuration. If the central server (call manager etc.) is providing logs via syslog, that can be used for additional context and alerting.